1. Field of the Invention
The present invention relates to a communication control system, or more specifically, a P2P communication control system for effectively exploiting peer-to-peer (P2P) communication within an enterprise network constructed using a virtual private network (VPN) service provided by a communication carrier.
2. Description of the Related Art
With the recent growth in broadband connection to the Internet, various P2P applications allowing end users to exchange files over a network are increasing. A P2P application is a kind of file swapping software permitting personal computers (PCs) to directly exchange files over the Internet.
P2P applications are expected to be vigorously utilized within an enterprise network for purposes of (1) forming a secure group of appropriate or necessary members so as to construct a job environment based on the P2P application, and (2) using the P2P application not only to share files, but also to exchange audio and video data, etc.
In this case, an authentication server capable of managing startup of the P2P application or subscribing or unsubscribing of members has to be constructed, and P2P software together with authentication software that accesses the authentication server has to be installed in terminals or devices belonging to each group. Moreover, from the viewpoint of security verification or economy, a VPN service provided by a communication carrier will presumably be used to construct an enterprise network over which headquarters, branch offices, and factories are interconnected.
The amount of traffic whose priority level was relatively high and which was transferred to or from each site or between sites was able to be estimated or planned in the past. An organization has a determined bandwidth, which is allocated to a carrier line leading to each site, according to an estimated or planned value. Traffic sent from each site over a carrier network, carrier network connection relay equipment owned by the organization checks the priority level given to the traffic, and implements priority control on the basis of the result of the check. Thus, quality of high-priority traffic is guaranteed.
Moreover, in the carrier network connection relay equipment at each site from which traffic is transmitted by, for example, the traffic is transferred to a site over the carrier network, so as to control bandwidth according to a design value of the capacity of each site in order to transmit data. The sum total of high-priority traffic originating from respective sites is guaranteed not to exceed bandwidth allocated to a line linking the carrier network and a site, whereby quality of high-priority traffic is ensured. In this case, relay equipment installed in a carrier discards low-priority traffic, which are sent to the site over the carrier network, and exceed bandwidth allocated to the carrier line leading to the site. Quality control provided for an existing carrier VPN service, and the approach to the service by an enterprise are as mentioned above.
However, in a situation in which a P2P application is vigorously utilized within an enterprise network constructed by an existing carrier VPN service, the following problems may be encountered.
(1) Difficulty in Designing Traffic
For the purpose of the above (1) utilizing a P2P application within an organizational network, employees are grouped based on the description of their jobs at various sites, for example, headquarters, branch office, and factories. It is difficult to estimate the amount of traffic occurring between sites linked over a VPN or the occurrence time thereof. In particular, the use of a P2P application increases this kind of traffic and makes estimation of the amount of traffic more difficult.
FIG. 1 shows an example of traffic sent to a site over a carrier network within an existing organizational network.
In the organizational network shown in FIG. 1, multiple sites 20, 30, and 40 belonging to an organization are interconnected over a carrier core network 10 as a virtual private network (VPN). An authentication server 50 owned by the organization is installed within a carrier core network 10. Moreover, customer edge (CE) routers 21, 31, and 41 that interface the carrier core network 10 with the VPN are installed at respective sites 20, 30, and 40.
In this example, P2P applications 22, 32, and 42 or P2P application terminals (hereinafter simply terminals) 22, 32, and 42 that belong to a high-priority group and are authenticated by the authentication server 50 and communicate with one another. A large amount of traffic sent from site 30 or 40 to site 20 takes place. Consequently, the total amount of traffic exceeds bandwidth contracted for a line over which a CE router 21 has network access. As a result, a packet that represents a large amount of traffic and is sent from the site 30 may be discarded (see filled star mark in FIG. 1).
If traffic sent from the transmitting-side site 30 exceeds the bandwidth contracted to the line over which the CE router 31 has network access, a portion of the packet exceeding the contracted value is discarded in the CE router 31.
(2) Prioritization by the Router
The CE router fills the role of Layer-3 relay equipment that is basically designed to handle data packet by packet. The CE router therefore has a bandwidth control feature, but does not have a P2P communication discrimination feature that is needed for P2P communications or a feature that recognizes a P2P group and priority level. The CE router cannot prioritize a P2P application (see x mark in FIG. 1). Therefore, the CE router cannot control traffic according to a priority level or control the bandwidth of high-priority traffic. If high-priority traffic becomes congested, important packets are lost.
(3) High Cost due to Use of Layer 7 Switching
In order to control traffic according to a priority level or control the bandwidth of high-priority traffic, high-order layer processing equipment that operates in Layer 7 and can detect and handle a P2P application is needed.
FIG. 2 shows an example of an organizational network having Layer 7 switches 23, 33, and 43 installed at the respective sites 20, 30, and 40. In this example, the Layer 7 switches are installed independently beside the CE routers 21, 31, and 41. Alternatively, routers dedicated to P2P communications and provided with Layer 7 switches may be adopted.
The Layer 7 switches 23, 33, and 43 detect a P2P application, which should be transmitted over the carrier core network 10, in advance, and transmits the P2P application, which is selected based on the priority level given to the P2P application and the permissible bandwidth, over the carrier core network 10. In this example, congestion in the originating routers 31 and 41 and the terminating router 21, etc. can be prevented.
However, P2P communication arise between any site. Therefore, a Layer 7 switch should be installed at each site 20, 30, and 40. Moreover, since communication between P2P applications generates a large amount of traffic, expensive high-performance high-order layer processing equipment is needed. This leads to an increase in cost needed to construct a network and control equipment. Since a large number of sessions has to be supported in a large scale network, the cost needed to run a network increases.
The countermeasures described below may be adopted for foregoing problems (1) to (3). However, countermeasures cannot thoroughly solve the problems for the reasons described below.
A countermeasure against problem (2) is such that the authentication server 50 assigns a priority level (transmission permission) to a P2P application that cooperates with the authentication server. In this case, data transmission from each of the sites 20, 30, and 40 over the carrier core network 10 can be controlled based on priority levels. However, since the amount of traffic between the sites cannot be recognized because of problem (1), congestion of traffic sent to each site 20, 30, and 40 over carrier core network 10 cannot be controlled.
In this case, authentication server 50 may instruct the terminal installed at a terminating site, which suffers from congestion, to suspend P2P communication or temporarily withdraw from the P2P group. This is effective in reducing the amount of traffic congesting. However, when traffic sent to each site over the carrier core network 10 is congested, an instruction issued from the authentication server 50 may not reach the terminal at the site. Moreover, when a notification of congestion over the carrier core network 10 is posted as a congestion occurrence report to a user enterprise over the carrier core network 10, the report is delayed due to congestion, and the organization cannot take advantage of the report.
A countermeasure for problem (3) is adopted so that relay equipment within the carrier core network 10 collects traffic information in units of priority level or destination site, and the authentication server 50 acquires the information so as to dynamically instruct each relay equipment to control traffic (the contents of the control include, for example, changing of a bandwidth based on which shaping is performed or changing of a threshold for discarding of data according to a priority level). Traffic is therefore controlled in units of a site. However, construction and maintenance of the authentication server 50 is very expensive, and traffic needed to transmit a notification or instructions over the carrier core network 10 increases.